The In-House Lawyer

How long should you keep personal data?

E-mail Print PDF

THE DATA PROTECTION ACT (DPA) 1998 SETS OUT several principles governing how personal data should be processed. One of these principles deals with how long such data should be retained. Schedule 1(5) to the DPA provides that:

‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.’

The DPA does not, however, set out any specific maximum (or minimum) retention periods for personal data. It requires a data processor to decide when the data is no longer necessary for its purposes and when it can be erased from the data controller’s system.

CRIMINAL RECORDS

This issue has been in the news recently because the Information Tribunal has ordered five police forces to delete several old criminal records from the Police National Computer. Under present police policy an individual’s criminal record remains on the police database for 100 years.

The Information Tribunal upheld the view of the Information Commissioner’s Office that the retention of these criminal records was in breach of the DPA. Records that were kept included those of an individual who, reprimanded at the age of thirteen in 2001 for common assault, had later been rejected in her application to become a carer when the Staffordshire Police disclosed her reprimand to her potential employer. Another record, kept by Humberside Police, concerned a person who in 1984, at the age of sixteen, was convicted and fined £15 for stealing a packet of meat valued 99p. A third case, dated 1978, involved a boy who had been released on conditional discharge for two attempted thefts and for criminal damage. The damage was to an arcade roulette machine, for which he was fined £25 and had to pay compensation of £6.60. None of the three individuals had re-offended.

The Information Tribunal held that this data had been kept for longer than was necessary for its purposes. It was accepted that the police no longer required the data for its own purposes, but the police argued that the data served additional purposes in providing assistance to, among others, the Crown Prosecution Service in the prosecution of an offence, the courts in the administration of justice, and the Criminal Records Bureau in the context of employment vetting. However, the Information Tribunal heard that individual courts maintain their own records of convictions, which are kept indefinitely. Although data held by the police for their own purposes ought to be provided to the CPS or the courts to consolidate their information, it does not follow that information that no longer has a policing purpose can properly be retained by the police in order to assist the CPS or the courts. Moreover, if the police hold information that is no longer relevant for the prevention and detection of crime, then its continued retention by the police cannot be properly justified by relying on its potential value to prospective employers.

This ruling potentially allows all those who have been convicted of minor offences at a young age and who have not been convicted since to request that their records be removed from the police database.

AUDITING YOUR RECORDS

One of the easiest ways to ensure that an organisation keeps personal data only for as long as is necessary is to implement a formal data retention policy, setting out what personal data should be retained and for how long, and making sure that all staff are aware of the requirements of the DPA.

An auditing procedure ought to be incorporated into the data retention policy to ensure that records containing personal data are checked on an annual basis to see whether those records still need to be retained. It may be necessary to keep certain personal data to comply with statutory requirements, for example tax records in relation to ex-employees. It should be emphasised that common sense needs to be applied when choosing to delete or retain personal records, and a consistent approach should be followed. By Andrew Shindler, partner, and Doris Myles, professional support lawyer, SJ Berwin LLP.

E-mail: andrew.shindler@sjberwin.com; doris.myles@sjberwin.com.

For more information please visit www.sjberwin.com.

 

Follow The In-House Lawyer...